GDPR and Your Business.

GDPR is a great opportunity to further focus on customer experience.

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. We believe this presents a new opportunity for companies to strengthen their brand loyalty by focusing on consumer privacy while delivering amazing experiences. Think of it as experiential privacy — having privacy be a key part of the customer experience, through relevant privacy notices presented in context and choices that are on brand.

“Adobe is leading the charge in helping brands transform into experience businesses, and GDPR presents the perfect opportunity for companies to lean in to customer centricity, build trust through transparency, and improve the customer experience with privacy in mind.”

Alisa Bergman

Chief privacy officer, Adobe

What is GDPR and how does it affect your business?

GDPR is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that collects personal information of individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.

What is Adobe doing toward GDPR readiness?

Adobe either already meets or is implementing our obligations as a data processor. We have a strong foundation of certified security and privacy controls by design and will continue to make product enhancements in advance of the May 2018 deadline. Enterprise customers will have the responsibility to implement these enhancements, as well as update any necessary policies and procedures.

A strong foundation of security and privacy compliance

We’ve implemented a set of certified security processes and controls to help protect the data entrusted to us through the Adobe Common Controls Framework. This helps us comply with several security and privacy certifications, standards, and regulations, including SOC-2, ISO 27001, and the EU-U.S. Privacy Shield.

Our mission is to help you responsibly unlock the power of data. Adobe has a long-standing practice of incorporating a proactive product development effort, also known as “privacy by design.” For example, many of our services have the ability to obfuscate IP addresses and allow individual-level opt-outs.

Data transfer

We’ve certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related data. This provides our customers with the option of relying on these frameworks or entering into Standard Contractual Clauses (also known as EU Model Clauses) for the transfer of data from the EU to the U.S. You can find more information on this in our Privacy Center, along with information on how to request Standard Contractual Clauses.

We’re working to more formally document the privacy practices we have in place to comply with the enhanced record keeping requirements.

Data protection team

We currently have a chief privacy officer, an Irish data protection officer, and a dedicated privacy team, and will continue to evaluate whether we need to take any additional steps in light of the new requirements.

Product and process innovation

We are constantly listening to our customers and looking for ways to simplify and further automate our product and service offerings to better support their GDPR needs.

GDPR readiness: A shared responsibility.

GDPR is a shared compliance journey, with the regulation setting out the obligations for the various parties. The example below from Adobe Experience Cloud sets out the roles for brands or “data controllers,” technology providers or “data processors,” and the places where the processor may need to help or partner with the controller either through tools, processes, or documentation to help the controller.

Your customers’ rights as data subjects.

A key part of GDPR is letting individuals choose what happens to their personal data. Individuals can ask companies to:

As the data controller, you will determine the personal data we process and store on your behalf. If you use Adobe cloud solutions, we may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe account or service. As a controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.

Our role as a data processor.

When we provide software and services to an enterprise, we’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we only process personal data in accordance with your company’s permission and instructions — for example, as set out in your agreement with us. Where your data is in one of Adobe’s cloud solutions and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services, and tools to help you respond.

It’s time for an assessment.

GDPR puts increased emphasis on data collection best practices, data controller transparency, and consumer choice — all of which play a meaningful role in the customer experience. With an eye toward customer experience, you may want to think about how the following GDPR principles affect your business efforts.

Reduce unnecessary data collectionTake stock of the data you’re collecting. Gather only the data you need to be effective.

Obtain appropriate consentWhen will consent be required and what form will it take? How will you provide delightful customer experiences with consent and without unwanted surprises? Consider the value proposition for consumer privacy, which can help drive conversion and loyalty.

Provide the required notice for data collectionReview and update your current privacy notices, policies, and any information provided at data collection points.

Remove unique identifiersConsider when to make some data anonymous or pseudonymous (by replacing obviously personal details with another unique identifier, typically generated through hashing, encryption, or tokens) to help minimize compliance obligations and the risk of data and privacy breaches and claims.

Fulfill data access and delete requestsUnderstand how your customer will reach out to you to make data access or delete requests. Know how to define internal data retention and deletion policies and procedures.

Get started.

Here are five steps you can take to help prepare for GDPR readiness.

Inventory your digital properties, including mobile apps and websites, to assess which cookies, tags, or other data are necessary.

Think about how you will authenticate user identity to address data subject access requests.

Identify or capitalize on existing processes to help respond to data subject access requests, including appointing a privacy point of contact.

Take the long view on privacy.

Think and design today with tomorrow’s privacy in mind. While GDPR will soon go into effect in Europe, GDPR-inspired privacy regulations are already cascading into other regions and countries. Putting in the work necessary to comply with GDPR will position you well for future privacy compliance efforts in Asia and other parts of the world.